Common Private DNS Issues
Troubleshoot common issues with private DNS.
- If a resolver rule matches the set conditions then the action is applied regardless of result. Later rules are not applied. For example, if the target destination of a forward rule is unreachable, the traffic is forwarded and no further rule actions are taken.
- When creating a resolver endpoint, ensure the subnet has enough available IP addresses. Listening resolver endpoints require one. Forwarding resolver endpoints require two.
- If compute instances want to resolve private DNS views and rules using the 169.254.169.254 resolver and they're using custom DHCP settings, 169.254.169.254 must appear in the DHCP nameserver list, otherwise 169.254.169.254 only resolves queries to the internet.
-
The private DNS system evaluates DNS requests in the following sequence:
- Private views (zones )
- Rules
- Internet
For example, if there were a rule to forward any name matching
onprem.example.com
to an on-premises system, but there was a zone in a private view defined asexample.com
. The private view would answer the lookup foronprem.example.com
and the forwarding rule would never be reached.
Serving Stale Data to Improve DNS Resiliency
- If the private DNS service is unable to resolve a DNS request that had been resolved earlier but has an expired cache TTL, the private DNS resolver might answer the DNS request from cache per RFC8767 with a 30 second TTL. Later DNS requests try to resolve by private DNS, and might continue to be served from the stale cache for a maximum of 24 hours or until the request is successfully resolved.